Documentation
¶
Overview ¶
Package serviceaccount provides implementations to manage service accounts and service account tokens
Index ¶
- Constants
- func JWTTokenAuthenticator(keys []*rsa.PublicKey, lookup bool, client client.Interface) authenticator.Token
- func MakeUsername(namespace, name string) string
- func ReadPrivateKey(file string) (*rsa.PrivateKey, error)
- func ReadPublicKey(file string) (*rsa.PublicKey, error)
- func SplitUsername(username string) (string, string, error)
- type ServiceAccountControllerOptions
- type ServiceAccountsController
- type TokenGenerator
- type TokensController
- type TokensControllerOptions
Constants ¶
const ( ServiceAccountUsernamePrefix = "serviceaccount" ServiceAccountUsernameSeparator = ":" Issuer = "kubernetes/serviceaccount" SubjectClaim = "sub" IssuerClaim = "iss" ServiceAccountNameClaim = "kubernetes.io/serviceaccount/service-account.name" ServiceAccountUIDClaim = "kubernetes.io/serviceaccount/service-account.uid" SecretNameClaim = "kubernetes.io/serviceaccount/secret.name" NamespaceClaim = "kubernetes.io/serviceaccount/namespace" )
Variables ¶
This section is empty.
Functions ¶
func JWTTokenAuthenticator ¶
func JWTTokenAuthenticator(keys []*rsa.PublicKey, lookup bool, client client.Interface) authenticator.Token
JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified using the given client
func MakeUsername ¶
MakeUsername generates a username from the given namespace and ServiceAccount name. The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name.
func ReadPrivateKey ¶
func ReadPrivateKey(file string) (*rsa.PrivateKey, error)
ReadPrivateKey is a helper function for reading an rsa.PrivateKey from a PEM-encoded file
func ReadPublicKey ¶
ReadPublicKey is a helper function for reading an rsa.PublicKey from a PEM-encoded file Reads public keys from both public and private key files
Types ¶
type ServiceAccountControllerOptions ¶
type ServiceAccountControllerOptions struct {
Name string
ServiceAccountResync time.Duration
NamespaceResync time.Duration
}
func DefaultServiceAccountControllerOptions ¶
func DefaultServiceAccountControllerOptions() ServiceAccountControllerOptions
type ServiceAccountsController ¶
type ServiceAccountsController struct {
// contains filtered or unexported fields
}
ServiceAccountsController manages ServiceAccount objects inside Namespaces
func NewServiceAccountsController ¶
func NewServiceAccountsController(cl *client.Client, options ServiceAccountControllerOptions) *ServiceAccountsController
NewServiceAccountsController returns a new *ServiceAccountsController.
func (*ServiceAccountsController) Run ¶
func (e *ServiceAccountsController) Run()
Runs controller loops and returns immediately
func (*ServiceAccountsController) Stop ¶
func (e *ServiceAccountsController) Stop()
Stop gracefully shuts down this controller
type TokenGenerator ¶
type TokenGenerator interface {
// GenerateToken generates a token which will identify the given ServiceAccount.
// The returned token will be stored in the given (and yet-unpersisted) Secret.
GenerateToken(serviceAccount api.ServiceAccount, secret api.Secret) (string, error)
}
func JWTTokenGenerator ¶
func JWTTokenGenerator(key *rsa.PrivateKey) TokenGenerator
JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. privateKey is a PEM-encoded byte array of a private RSA key. JWTTokenAuthenticator()
type TokensController ¶
type TokensController struct {
// contains filtered or unexported fields
}
TokensController manages ServiceAccountToken secrets for ServiceAccount objects
func NewTokensController ¶
func NewTokensController(cl client.Interface, options TokensControllerOptions) *TokensController
NewTokensController returns a new *TokensController.
func (*TokensController) Run ¶
func (e *TokensController) Run()
Runs controller loops and returns immediately
func (*TokensController) Stop ¶
func (e *TokensController) Stop()
Stop gracefully shuts down this controller
type TokensControllerOptions ¶
type TokensControllerOptions struct {
// TokenGenerator is the generator to use to create new tokens
TokenGenerator TokenGenerator
// ServiceAccountResync is the time.Duration at which to fully re-list service accounts.
// If zero, re-list will be delayed as long as possible
ServiceAccountResync time.Duration
// SecretResync is the time.Duration at which to fully re-list secrets.
// If zero, re-list will be delayed as long as possible
SecretResync time.Duration
}
TokensControllerOptions contains options for the TokensController
func DefaultTokenControllerOptions ¶
func DefaultTokenControllerOptions(tokenGenerator TokenGenerator) TokensControllerOptions
DefaultTokenControllerOptions returns
Source Files